基于docker的开源堡垒机jumpserver的安装与实践

官方资源

官网
文档-1 或者 文档-2

主机节点准备

redis-server        10.1.100.1
mysql-server        10.1.100.2
jumpserver-server    10.1.100.3
coco-server            10.1.100.4
guacamole-server    10.1.100.5

准备部分参数

#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
SECRET_KEY    rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
BOOTSTRAP_TOKEN    tskMDJsbgxRc6WAx
DB_HOST 10.1.100.2
DB_PORT 3306
DB_USER    jumpserver
DB_PASSWORD    jumpserver
REDIS_HOST    10.1.100.1
#不设置密码
REDIS_PASS

注意数据库jumpserver访问权限

构建jumpserver镜像及运行

书写内容

Dockerfile

FROM centos:7

RUN yum -y update && \
    curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

RUN yum -y install wget gcc epel-release git python36 python36-devel

RUN mkdir -p /opt/ && cd /opt && \
    python3.6 -m venv py3 && source /opt/py3/bin/activate

WORKDIR /opt

RUN git clone --depth=1 https://github.com/jumpserver/jumpserver.git && cd jumpserver/requirements && \
    yum -y install $(cat rpm_requirements.txt)


RUN source /opt/py3/bin/activate && pip install --upgrade pip setuptools
RUN source /opt/py3/bin/activate && pip install -r jumpserver/requirements/requirements.txt

#root init
#RUN DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` && echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m" && \
#    mysql -h${DB_HOST} -uroot -p${DB_PASSWORD} -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'%' identified by '$DB_PASSWORD'; flush privileges;"

RUN cp /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml
COPY nginx.repo /etc/yum.repos.d/nginx.repo

RUN yum -y install yum-utils && yum makecache fast && \
    yum install -y nginx && rm -rf /etc/nginx/conf.d/default.conf && systemctl enable nginx

COPY jumpserver.conf /etc/nginx/conf.d/default.conf

RUN wget https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz && tar zxf luna.tar.gz && rm -rf luna.tar.gz

ARG DB_HOST=127.0.0.1
ARG DB_PORT=3306
ARG DB_USER=
ARG DB_PASSWORD=

ARG REDIS_HOST=127.0.0.1
ARG REDIS_PASS=

#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
ARG SECRET_KEY=rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
ARG BOOTSTRAP_TOKEN=tskMDJsbgxRc6WAx
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
ARG DB_PASSWORD=

COPY start.sh start.sh
RUN chmod +x ./start.sh

EXPOSE 80 8080
ENTRYPOINT ["./start.sh"]

jumpserver.conf
注意:该文件中location语句块proxy_pass根据实际情况变更

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://10.1.100.4:9131/socket.io/;  # 如果coco安装在别的服务器, 请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #access_log off;
    }

    location /coco/ {
        proxy_pass       http://10.1.100.4:9131/coco/;  # 如果coco安装在别的服务器, 请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://10.1.100.5:9132/;  # 如果guacamole安装在别的服务器, 请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器, 请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

start.sh

#!/bin/bash
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /opt/py3/bin/activate

echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_HOST: 127.0.0.1/DB_HOST: $DB_HOST/g" /opt/jumpserver/config.yml
sed -i "s/DB_USER: jumpserver/DB_USER: $DB_USER/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
sed -i "s/REDIS_HOST: 127.0.0.1/REDIS_HOST: $REDIS_HOST/g" /opt/jumpserver/config.yml
sed -i "s/# REDIS_PASSWORD:/REDIS_PASSWORD: $REDIS_PASS/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的DB_HOST是 $DB_HOST \033[0m"
echo -e "\033[31m 你的DB_USER是 $DB_USER \033[0m"
echo -e "\033[31m 你的DB_PASSWORD是 $DB_PASSWORD \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"

nginx
chmod +x /opt/jumpserver/jms && /opt/jumpserver/jms start all

构建命令

1
docker build -t jumpserver:v1.0 .

运行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
docker service create
--name="jumpserver"
#用作jumpserver端口
--publish 80:80
--env "SECRET_KEY=rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m"
--env "BOOTSTRAP_TOKEN=tskMDJsbgxRc6WAx"
--env "DB_HOST=10.1.100.2"
--env "DB_USER=jumpserver"
--env "DB_PORT=3306"
--env "DB_PASSWORD=jumpserver"
--env "REDIS_HOST=10.1.100.1"
--env "REDIS_PASS="
--replicas 1
jumpserver:v1.0

构建coco镜像及运行

书写内容

Dockerfile

FROM centos:7

RUN yum -y update && \
    curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

RUN yum -y install wget gcc epel-release git python36 python36-devel

RUN mkdir -p /opt/ && cd /opt && \
    python3.6 -m venv py3 && source /opt/py3/bin/activate

WORKDIR /opt

RUN git clone --depth=1 https://github.com/jumpserver/coco.git && cd coco/requirements && \
    yum -y install $(cat rpm_requirements.txt)

RUN source /opt/py3/bin/activate && pip install --upgrade pip setuptools
RUN source /opt/py3/bin/activate && pip install -r coco/requirements/requirements.txt

#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
ARG SECRET_KEY=rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
ARG BOOTSTRAP_TOKEN=tskMDJsbgx
ARG JUMPSERVER_SERVER=http://localhost:8080

COPY start.sh start.sh
RUN chmod +x ./start.sh

EXPOSE 5000 9122
ENTRYPOINT ["./start.sh"]

start.sh

#!/bin/bash

source /opt/py3/bin/activate
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

if [ ! -f "/opt/coco/config.yml" ]; then
    cp /opt/coco/config_example.yml /opt/coco/config.yml
    sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
    sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: DEBUG/g" /opt/coco/config.yml
    sed -i "s/# SSHD_PORT: 2222/SSHD_PORT: 9122/g" /opt/coco/config.yml
    sed -i "s#CORE_HOST: http://127.0.0.1:8080#CORE_HOST: ${JUMPSERVER_SERVER}#g" /opt/coco/config.yml
fi;

if [ ! -f "/opt/coco/data/keys/.access_key" ];then
    mkdir -p /opt/coco/data/keys
    echo "" > /opt/coco/data/keys/.access_key && chmod 755 /opt/coco/data/keys/.access_key
fi;


chmod +x /opt/coco/cocod && /opt/coco/cocod start -d

tail -f /dev/null

构建镜像

1
docker build -t coco:v1.0 .

运行

1
2
3
4
5
6
7
8
9
10
11
docker service create
--name="coco"
#9131用作jumpserver访问coco的端口,查看Jumpserver.conf配置文件
--publish 9131:5000
#9122用作ssh访问堡垒机的端口
--publish 9122:9122
--env "SECRET_KEY=rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m"
--env "BOOTSTRAP_TOKEN=tskMDJsbgxRc6WAx"
--env "JUMPSERVER_SERVER=http://10.1.100.3:80"
--replicas 1
coco:v1.0

构建guacamole镜像及运行

书写文件

Dockerfile

FROM centos:7

RUN yum -y update && \
    curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

RUN yum -y install wget gcc epel-release git python36 python36-devel

RUN mkdir -p /opt/ && cd /opt && \
    python3.6 -m venv py3 && source /opt/py3/bin/activate

WORKDIR /opt

RUN rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro && \
    rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm && \
    yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

RUN yum install -y java-1.8.0-openjdk libtool 
RUN yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel 
RUN yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript && \
    ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/

RUN yum -y install gcc automake autoconf libtool make
RUN git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git && cd /opt/docker-guacamole/ && \
    tar -xf guacamole-server-0.9.14.tar.gz && cd guacamole-server-0.9.14 && autoreconf -fi && \
    ./configure --with-init-dir=/etc/init.d && make && make install && cd .. && rm -rf guacamole-server-0.9.14 && \
    ldconfig

RUN mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions && \
    ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar && \
    ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties && \
    cd /config && \
    wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.tar.gz && \
    tar xf apache-tomcat-8.5.40.tar.gz  && \
    rm -rf apache-tomcat-8.5.40.tar.gz && \
    mv apache-tomcat-8.5.40 tomcat8 && \
    rm -rf /config/tomcat8/webapps/* && \
    ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war && \
    sed -i 's/Connector port="8080"/Connector port="8080"/g' /config/tomcat8/conf/server.xml && \
    sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties && \
    cd /config && \
    wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz && \
    tar xf linux-amd64.tar.gz -C /bin/ && \
    chmod +x /bin/ssh-forward

COPY start.sh start.sh
RUN chmod +x ./start.sh

EXPOSE 8080
ENTRYPOINT ["./start.sh"]

start.sh

#!/bin/bash
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /opt/py3/bin/activate

export JUMPSERVER_SERVER=$JUMPSERVER_SERVER
echo "export JUMPSERVER_SERVER=$JUMPSERVER_SERVER" >> ~/.bashrc
export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

/etc/init.d/guacd start
sh /config/tomcat8/bin/startup.sh

tail -f /dev/null

构建镜像

1
docker build -t guacamole:v1.0 .

运行

1
2
3
4
5
6
7
8
docker service create
--name="guacamole"
#9132用作jumpserver访问guacamole的端口,查看Jumpserver.conf配置文件
--publish 9132:8080
--env "BOOTSTRAP_TOKEN=tskMDJsbgxRc6WAx"
--env "JUMPSERVER_SERVER=http://10.1.100.3:80"
--replicas 1
guacamole:v1.0

访问jumpserver

浏览器访问http://10.1.100.3,默认用户admin及密码admin

结束